Fri Apr 8 06:49:41 PDT 2016

Management: Security awareness: What sort of enterprise security awareness program should the enterprise have?


Options:

Option 1: Initial awareness training for all employees
Option 2: Periodic security reminders.
Option 3: Guest lectures.
Option 4: Training sessions.
Option 5: Verified learning systems.
Option 6: Scenario-based policy awareness programs.
Option 7: Booklets, pamphlets, and posters.
Option 8: Document review awareness.
Option 9: Day-to-day awareness programs.
Option A: Department meetings.
Option B: Video-based awareness programs.
Option C: Scenario game awareness programs.
Option D: Badging and carding.
Option E: Stand-downs.
Option F: Communications-based awareness programs.
Option G: Award programs.
Option H: Social pressure programs.
Option I: Covert awareness programs.

Decision:

IF the enterprise is small and not publicly owned and a minimal program is desired, THEN use initial awareness training, periodic security reminders, and training sessions.
OTHERWISE use the table below to determine when to use which approach.

Use ALL that apply:

Situation Technique
Upon start of work for anyone Use initial awareness training.
At least once every six months Use periodic security reminders.
For large groups of highly skilled workers Use guest lectures.
For personnel with access to medium or high risk systems or content Use training sessions.
For distant or traveling individuals who cannot make local training sessions, Use verified learning systems.
For cases where a wide range of possibilities exist and group cohesion is valuable, Use scenario-based policy awareness programs.
For cases where standard approaches are widely used by large numbers of workers, Use booklets, pamphlets, and posters.
At least annually, Document review awareness.
When a security culture is desired, Day-to-day awareness programs.
When periodic (usually monthly) department meetings are held, Department meetings.
When large distributed audiences are involved, Video-based awareness programs.
When complex policies are being implemented or social awareness is desired, Scenario game awareness programs.
When badges are in use, Badging and carding.
When circumstances dictate urgent and severe measures, Stand-downs.
When emergency notification of ongoing or immediately concerning events are needed, Communications-based awareness programs.
When a positive social benefit is emphasized for the security program, Award programs.
When specific behaviors are expected of workers under specific security-realted situations, Social pressure programs.
When trained behaviors are to be tested or reinforced unbeknownst to the workers, Covert awareness programs.
The awareness program

Basis:

Awareness acts to ensure compliance and create identification with the protection process by providing the necessary information to be able to recognize key situations and respond to them in accordance with the enterprise plan. The total set of awareness programs used throughout the enterprise provides the content used to build an effective operational security process.

Initial awareness training for all employees
Initial briefings are required for all those who access information within an enterprise setting. These briefings lay out the specific things the user has to know in terms that they can act on. Most employees get initial employee briefings through the HR process when they first arrive to start work and this is an ideal place to include the initial information protection briefing.

Periodic security reminders.
Periodic reminders are typically either in the form of posters, banners, etc. or are in the form of required reviews of material, displays of videos, email alerts, or other similar mechanisms.

Guest lectures.
Lectures are often used by large organizations with large technical groups or other widely-attended venues as a means to bring in high-quality experts to enhance internal programs.

Training sessions.
Training sessions are typically schedules in groups at a department or similar level (typically 10-30 people) and are carried out by trainers who review specific issues during each session. More effective programs include some sort of feedback to assure that the training is effective at least to the extent of demonstrating knowledge of the content of the session.

Verified learning systems.
Computer-based awareness programs provide a limited way to test for and track awareness of specific issues in specific audiences. As a novelty it may hold interest for a time, but it rapidly becomes drudgery and should only be used as part of a systematic effort associated with specific enterprise needs that cannot be fulfilled otherwise or as a verification of awareness given via other programs.

Scenario-based policy awareness programs.
Groups are sometimes formed for group processes associated with security issues. These processes can be designed to build up awareness programs, but the most effective and entertaining groups of these sorts for general security awareness tend to be those formed in awareness and training game group settings.

Booklets, pamphlets, and posters.
Posters and banners are sometimes used to keep up awareness levels. While individual posters typically lose their effect in a few weeks, it is not expensive to put up new posters every month as part of an awareness program. Posters used in one facility can be rotated to the next facility so that a dozen different posters purchased in quantities of a few dozen each can be used to cover dozens of facilities for a year.

Document review awareness.
Document review is required for all information the employee is required to sign associated with the information protection program. Most people don't read the documents they sign in office settings, so document review is necessary in order to assure that they indeed understand and agree to the terms involved.

Day-to-day awareness programs.
Day-to-day awareness is fostered by and fosters a properly protective work environment and culture. A goal of the IP Lead should be to create a culture of appropriate security through their overall program, with a central focus of cultural change and maintenance coming from the awareness program. A culture of security is not a culture of fear.

Department meetings.
Department meetings are often used to promote security and bring out protection-related issues. A fairly effective practice is for department meetings to include a review of the security failures of the last month. The IP Lead's awareness program should provide information for use in these meetings to aid in its effectiveness. This typically includes:

    A news story from the media that relates to employees directly, such as a story about someone losing their home after an identity theft cause bad credit,

    A current or recent situation within the enterprise involving a security problem found and fixed or a situation that impacted a large number of employees,

    Any changes to the protection program that have wide-ranging effects in the enterprise,

    The introduction of any new awareness program or other item of interest, and/or

    Any awards or reward programs associated with the security awareness program.

Video-based awareness programs.
Video-based awareness programs can be viewed by large audiences or copied for large numbers of smaller audiences. If properly produced with a combination of humor, social references, and examples, it can be effective at conveying important messages in a way that causes high retention of the high-level concepts. It can be repeated periodically but becomes stale over time unless mixed in with other programs. It is expensive to produce on your own but many such programs can be purchased for nominal fees.

Scenario game awareness programs.
Games, typically couched as strategic scenarios and situation analysis, are often used to create policies, work through issues, and understand aspects of a space. But they have also been applied to awareness programs. Typically, a game process is used by top management to develop policies and situations that are then played out for awareness programs by all levels of management and workers with an optional outside facilitator.

Badging and carding.
Badging & carding systems are often associated with physical access controls but they are also part of awareness programs. The programs should remind people that when they encounter someone without a badge they should take action. The specific actions should be identified and trained. The presence and enforcement of badging and carding systems themselves are also part of keeping people aware of security as an issue.

Stand-downs.
Stand-downs have been used in extreme circumstances to create awareness at a heightened level. For example, government agencies have used stand-downs that involve decertification of systems until they are repaired. They use the repair period to do in-depth awareness programs for all employees and contractors. In one case tens of thousands of employees were involved in shut-downs during which awareness programs were used all day every day to bring the seriousness of the security issues to light.

Communications-based awareness programs.
Memos, emails, mass voice mails, internal FAXes, and similar corporate communications are often used for awareness issues, particularly when there is a critical time-sensitive issue that requires immediate notice. This may be part of the emergency notification system of the enterprise that is also used in disaster recovery and other large-scale incidents. The use of these means for other aspects of awareness tends to be less effective and has the side effect of reducing the effectiveness of the emergency notification process by making it less unusual.

Award programs.
Award programs provide ways to make information protection activities positive experiences and generate social benefits to those who do these aspects of their job well. Award programs can be run for a few thousand dollars per year and typically include plaques or paper certificates, public notice, notice at department meetings, free dinners for two at local restaurants, or other similar items.

Social pressure programs.
Social pressure is applied by creating a culture that encourages secure behaviors. For example, when someone unrecognized is in a workspace, the employees who normally occupy that space should know to come over and say hello, introduce themselves, and find out if they can help the newcomer. If the newcomer is not forthcoming with useful information about who they are, if they don't have a proper badge, or if they are otherwise suspicious, the social environment should create the response that ultimately leads to the individual being escorted out of the facility, arrested, or otherwise handled. If this is the social environment, security will be effective and people will be friendly, but if it is not, penetration of the facility for long-term access will be easily achieved and sustained. Creating a social awareness program is a good foundation for the material included in the other aspects of the awareness program and leads to both compliance and identification with the desired protective behaviors.

Covert awareness programs.
Covert awareness programs have recently been noticed by advertisers and adopted for selling. They involve surreptitiously planting individuals within environments to create social changes. This may take the form of someone who displays protective behaviors in conjunction with a planted intruder, someone who creates a "buzz" around a new idea or program, or someone who uses any of a wide range of other influence tactics to move group behavior toward desired objectives.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved